With the increased adoption of cloud computing services by enterprises, security teams have come to understand
that cloud providers will now largely handle many of their traditional security controls and processes.
Signing up for a cloud service only to be blindsided when an incident occurs can leave an organization scrambling.
For example, incident response and digital forensics, once critical in-house processes, are now mostly maintained by providers. Some organizations might see the casting off of such responsibilities as a positive for cloud computing, but, unfortunately, many enterprises haven't been successful in determining what providers' real capabilities are in these areas.
A recent white paper by the Cloud Security Alliance (CSA) Incident Management and Forensics Working Group, titled Mapping the Forensic Standard ISO/IEC 27037 to Cloud Computing, attempts to tackle some of these lingering questions concerning cloud provider forensics capabilities. The working group detailed the types of forensic activities and controls consumers should expect from cloud providers in a variety of service models, as well as the types of contractual statements and elements that should be included in legal and service-level agreements (SLAs). The working group also described the various types of evidence that cloud consumers should discuss with their providers, along with some common best practices and cloud-centric approaches that align with international forensics and response standards.
For many enterprises, a good starting point for getting a handle on providers' capabilities is to formulate a list of questions to ask cloud providers during the preliminary stages of research and/or contract negotiations. Here are ten questions for cloud providers that most enterprises will find applicable when evaluating their cloud forensics capabilities:
1. First, what types of data can and will be provided to you both regularly (preferred for larger, more mature forensics teams) and when needed during investigations? Per the CSA document, these data types may include the following:
a. Web server logs
b. Application server logs
c. Database logs
d. Virtual machine guest operating system logs
e. Virtualization hypervisor host access logs
f. Virtualization management platform logs and SaaS portal logs
g. Network captures
h. Billing records
i. Management portal logs
j. API logs
k. Cloud or network provider perimeter network logs
l. Logs from DNS servers
2. What types of evidence are provided and in what time frame as part of contracts, and specifically within SLAs? Cloud consumers should be looking to receive logs, virtual machine copies and potentially network and/or storage traffic, where applicable.
3. Does the provider maintain current lists of contacts in law enforcement and legal/regulatory areas to provide assistance with and guidance during data breach scenarios?
4. Does the cloud provider allow affected customers to participate in incident response and forensics investigations, and, if so, to what extent? Also, how are intrusion event logs and other evidence files protected?
5. What sort of data retention and disposal lifecycle policies and processes are in place for security events and other related information? How are virtual disk files overwritten? These questions are critical to understanding the data retention and protection lifecycle at a cloud provider.
6. What forensics and incident response skills do cloud service provider (CSP) security teams possess? Evidence of industry certifications and experience with well-known tools and techniques should be expected. These include the SANS GIAC Certified Forensic Analyst (GCFA), GIAC Certified Incident Handler (GCIH), GIAC Certified Forensic Examiner (GCFE), Certified Computer Examiner (CCE) and more. Tools and techniques would include use of industry-leading forensic techniques, as well as reverse-engineering skills and data and network traffic acquisition skills.
7. What forensic and response processes have been implemented to accommodate virtual infrastructure and cloud management platforms internally? For example, do the CSP teams use virtual machine snapshots for evidence acquisition? Any legit cloud provider should be able to deliver sound details of its virtualization-specific experience and capabilities.
8. In a multi-tenant environment, what steps do CSP teams take to minimize impact to tenants when another tenant experiences a security incident?
9. How do CSPs handle network-based monitoring and tracking within virtual environments? Are virtual firewalls or other appliances used. If so, how are they managed? Are proper separation of duties and role-based access controls in place to limit visibility to specific team members in the case of a security incident?
10. What procedures do CSP teams follow to permit law enforcement access to systems and assets? How are unaffected tenants kept separate?
Beyond these questions, the CSA guide makes several cloud forensic recommendations regarding clients and mobile devices accessing cloud resources, although many of these are high-level. In all, signing up for a cloud service only to be blindsided when an incident occurs can leave an organization scrambling, so security and operations teams should work diligently to gather as much of this information as possible before signing a contract. If an enterprise doesn't feel 100% comfortable at any point during negotiations with a cloud provider, it should reassess whether that particular provider, or cloud services altogether, is the right fit at the moment.
Ideally, cloud providers will work more closely with customers during incidents in the future, provide reasonable evidence and artifacts and hire security team members with strong forensics and response skills. More cloud consumers requesting (and requiring) information regarding a CSP's forensics processes will help standardize such practices in the future.
About the author:
Dave Shackleford is the owner and principal consultant of Voodoo Security LLC, Lead Faculty at IANS, and a SANS analyst, senior instructor and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as CSO for Configuresoft, CTO for the Center for Internet Security, and as a security architect, analyst and manager for several Fortune 500 companies. Dave is the author of the Sybex book Virtualization Security: Protecting Virtualized Environments, as well as the co-author of Hands-On Information Security from Course Technology. Recently, Dave co-authored the first published course on virtualization security for the SANS Institute. Dave currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.